Squidguard redirect in pfsense 2.2.3

franklinsj

Hello everyone. I have the following 2 scenarios:

2.2.3-RELEASE (amd64) with squid 2.7.9 pkg v.4.3.6 and squidguard 1.9.14 in a test environment and

2.0.1-RELEASE (i386) with squid 2.7.9 pkg v.4.3.3  and squidguard 1.4_4 pkg v.1.9.2 in production

I have a situation with the way squidguard redirects the pages that are blocked.  For example, in the older set up if someone goes to http://newspaper.com and the page is blocked the page url remains the same but shows an error message with the user's ip address, target group, etc.  On the other hand, on the new set up it would redirect to http://[pfsense server ip address]/sgerror.php?[some parameters] and show the same error information as in the older set up.

Is there a way to avoid the new set up from redirecting to the pfsense server's ip address and keep the original intended website url instead?

Thank you very much.

franklinsj

Looks like i found what was originating the problem.  I restricted port 80 and 443 on the lab set up for security purposes so that only IT personnel could access the server, after unblocking the ports the redirect worked same way as the older set up.

Seems that if I want to protect the server against unauthorized access the best that can be done for now is installing and configuring snort instead of blocking web access (please someone correct me here if i'm wrong)

Thanks.

KOM

You're afraid your cache users will try to hack pfSense if they know the IP address that squid is listening on?  You can restrict who is allowed to use the proxy, and you can restrict who is allowed to login to pfSense so I'm not sure I'm seeing the problem.

franklinsj

That is correct, i want to avoid access to the web configurator by people that is not supposed to access.  So is there an option where I can restrict access to the web configurator while still letting people access the web server in pfsense so they get the blocked page messages from squid correctly?

KOM

You have to login with a valid name and password to the WebGUI.  Isn't that enough to keep people out?

franklinsj

Sure, but it is also a good practice to restrict management ports when possible :)

franklinsj

Looks like I figured it out.  For us to be able to block ports 80 and 443 we had to create a custom error page in another server and configure squidguard to redirect the errors to it in Group ACL  > Redirect mode  set to ext url err page (enter URL) and on the redirect box http://other_server_ip/path_to_custom_error_page/index.php?clientAddress=%a&clientName=%n&clientUser=%i&clientGroup=%s&targetGroup=%t&clientUrl=%u

I'm not the greatest at web pages but this is the code for the basic custom error page, once it is displayed you will realize that it is obviously based on the pfsense built in error page

$clientAddress = $_GET['clientAddress'];
$clientName = $_GET['clientName'];
$clientUser = $_GET['clientUser'];
$clientGroup = $_GET['clientGroup'];
$targetGroup = $_GET['targetGroup'];
$clientUrl = $_GET['clientUrl'];

echo "\n";
echo "\n";
echo "

### Request denied by pfSense proxy: 403 Forbiden";
echo "

\n";
echo " **Reason:** 

\n";
echo "

* * *

";
echo " **Client address:** ";
echo "$clientAddress";
echo "
\n";
echo " **Client group:** ";
echo "$clientGroup";
echo "
\n";
echo " **Target group:** ";
echo "$targetGroup";
echo "
\n";
echo " **URL:** ";
echo "$clientUrl";
echo "
\n";
echo "

* * *

";
echo "\n";
echo "\n";

#RESPONSE CODE

http_response_code(403);

?>